Didier Stevens

Sunday 30 August 2020

Update: oledump.py 0.0.53

Filed under: My Software,Update — Didier Stevens @ 13:45

This new version of oledump.py has bug fixes, updates for -s and –raw -v options, plugins, and a bug fix for plugin_vbaproject.

Streams can now be select (-s –select) by name too. Make sure to include the single quotes:

oledump_V0_0_53.zip (https)
MD5: C26EB56580D65B2E856169A3EFC9BC03
SHA256: A10D90284F10C6D7811E2573049FE0F8315F04129846898C88E0184423988CD9

Sunday 23 August 2020

New Tool: XORSearch.py

Filed under: Announcement,My Software — Didier Stevens @ 19:42

XORSearch, written in C, is a tool of mine I started 10+ years ago. But more and more security tools don’t like it.

So I decided to stop adding new features to XORSeach in C, and start programming a Python version to implement new features. This is a work in progress.

For the moment, the Python version only supports XOR-encoding with a one-byte key, and can only search for printable content.

Take a look at my SANS ISC diary entry to see how I use it.

I will still maintain the C version: perform bug fixes and add new features that require the speed of compiled C.

But features like detecting printable content will normally be used on small files, and then speed is not an issue.

Sunday 16 August 2020

Update: numbers-to-string.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 8:39

This new version of numbers-to-string.py, a tool to extract numbers from text files and convert them to strings, adds a verbose option (-v –verbose).


Running this with verbose option shows which lines were selected for number extraction:

numbers-to-string_v0_0_10.zip (https)
MD5: C7B8985C5A7D856F68A88BBD491375E6
SHA256: 8CED403C795E9287DD1500C8A0EFBF41F8837BE112113D425A7F8C97D9D1A27E

Thursday 30 July 2020

Update: pecheck.py Version 0.7.11

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bugfix version

pecheck-v0_7_11.zip (https)
MD5: D3B69575F0A08377D1A08886D34230FD
SHA256: 2B59F745377EABDF81118997CA70F5F4DBC1CE927370F02C6E0262869F988FA9

Tuesday 28 July 2020

Update: InteractiveSieve 0.9.1

Filed under: My Software,Update — Didier Stevens @ 0:00

There are many new features in this update to InteractiveSieve (I neglected to publish updates).

InteractiveSieve is a C# tool I developed to help me visualize and sift through logs (CSV files).

I want to record a couple of videos to show what this tool can do.

Here is a list of updates:

  • Added Remember and >= <= popup menu commands
  • Added Paste to Sift dialog
  • Added separator option None
  • Added choice for Pivot table: matrix, list and uniques
  • Fixed Reveal all bug, thanks Bart Vanautgaerden for reporting
  • Added Hide colored lines and Hine uncolored lines; Added Info and Set as index column
  • Bugfix DataGridViewEx
  • Added Load sieve and Save sieve
  • Added m:n to pivot table
  • Added Invert
  • Added bookmarks
  • Added Previous and Next Bookmark toolbar buttons
  • Bugfix SaveSieve for bookmarks
  • Added Comment…
  • Added header when saving
  • Fix for header when loading with filter
  • Added load with lookup
  • Added Treeview
  • Added drag and drop; automatic and colon separator; invert with load filter
  • Added Copy for row
  • Pivot table list and uniques: Added support for Hide and Color buttons
  • Added Sift… value
  • Added Transform (regex) and restore
  • Added Reload

InteractiveSieve_V_0_9_1_0.zip (https)
MD5: C8B5B3E768FB62B7508F055122453594
SHA256: 063A83D9DBA900C8B245532D510E822A305B258C9A3DD05F19F4F0ED2753B6E1

Monday 27 July 2020

Update: zipdump.py Version 0.0.20

Filed under: My Software,Update — Didier Stevens @ 0:00

I added detection of data descriptor records (PK 0x07 0x08) to option -f L (list all ZIP records found inside the provided file).

zipdump_v0_0_20.zip (https)
MD5: A0A826BB92805997ED3D9793C8B24385
SHA256: AC626299A6048FA4A7E8BE2993411870F77B4B89F647B6C4264E0CC22E180999

Sunday 26 July 2020

Update: oledump.py 0.0.52

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py brings support for AES encrypted ZIP files via Python module pyzipper (Python 3 only). If module pyzipper is not installed, oledump will fall back to builtin module zipfile.


And plugin plugin_vbaproject.py does now a small dictionary attack on the extracted hash to try to recover the password.

I use the same dictionary as in zipdump.py, a dictionary that is the public domain, default wordlist used by John the Ripper, extended with a couple of passwords: infected, P@ssw0rd and VelvetSweatshop.

oledump_V0_0_52.zip (https)
MD5: 2528824D8A7CD2BE98615B1B1AE8C61A
SHA256: C47A9CC658571FF23E70264B4DD4F8F47D244708E7110EA0A28128F175CF80F5

Sunday 19 July 2020

Update: oledump.py Version 0.0.51

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bugfix update to oledump.py, and a feature update for plugins.

plugin_biff.py has a new -S (–statistics) option:

This option can be combined with option -c (–csv).

And there is a new plugin for VBA projects: plugin_vbaproject.py. More info in tomorrow’s blog post.


oledump_V0_0_51.zip (https)
MD5: 9A55FC37AD0C4C2F3D08F252C72C1A82
SHA256: 071D1605D520A4BABBE2CDA461866C349628FE4B428AC54823492A6CD89EA487

Saturday 18 July 2020

Update XORSearch Version 1.11.4

Filed under: My Software,Update — Didier Stevens @ 10:08

This is a small bug fix version of XORSearch: fixing some printf format strings for Linux, thanks to Lenny Zeltser for reporting.

Because of Google, I can no longer host this tool on my website.

You have to get it from my FalsePositives GitHub repository.

MD5: E66290D1EB15D9394C8D1264A09ECFE6

Friday 3 July 2020

Update: base64dump.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of base64dump.py adds the following new features:

  • encoding zxc (0x4D,0x5A,0x90,…)
  • update for YARA rules
  • update for –cut option
  • option -A: run-length encoded HEX/ASCII dump
  • warning when no encoding was selected
  • environment variable to set hash algorithm (DSS_DEFAULT_HASH_ALGORITHMS)
  • option –jsonoutput
  • option -T: headtail
  • option -p: process encodings
  • Python 3 support

base64dump_V0_0_12.zip (https)
MD5: 834B0D2DB5915ECE1C2F016B9E8462D1
SHA256: 952A5009C945AF350DB0875E8F025E3B5D271FB54AC60BE7569CFBD949DD7B77

Next Page »

Blog at WordPress.com.